ISF congress post 4: Keynote session: The view from the advisory board

This was a panel discussion session so flowed around quite a bit, and wasn’t always focussed.  The below covers most of the main points that were discussed;

Focus no longer on China.

Focus more on what enterprises can do to protect data and work with their customers securely.

Snowden affair, and global information security / assurance – living in a globally surveyed world.


I’ve been following the Snowden debacle in the news;

  • Is this something we need to pay attention to?
  • Tell me three key actions we need to take.


  • US has the ‘right’ to monitor all network traffic that goes via it or US companies from ‘foreigners’.  Doesn’t sound to bad until you realise we are nearly all foreigners (around 97% of the global population isn’t American!).  This has huge ramifications.
  • Snowden affair – nearly all the leaks from this have been of ‘Top Secret’ classification, this hardly ever happens, most leaks are of much lower classification.
  • However – Remember, just because we are looking at the NSA, China has not gone away.  Remembering this is critical to your security posture.
  • Everything is stored forever!  Whether NSA or Google, or other email / search service, all your emails etc are likely stored forever, and probably in several places.
  • On the opposite side, many industries are rightly moving to more openness and sharing data with more people and the right people
  • Other nations likely better then the US at sharing the findings of their industrial espionage with national companies – French and Japanese apparently very good at sharing espionage data with companies based in those countries.  NSA surveillance may be pervasive, but questions about how much it shares.  Board members and CEOs need to be aware that this espionage is a reality.
  • Supply chain security is a key factor to consider.
  • Emerging economies have a huge security impact – what they are doing with us, and how we interact and integrate with them.
  • International treaties around how intelligence agencies work abroad around monitoring each other are needed and being worked on.  In democratic countries at least – no comment on what is happening in dictatorships such as Russia and China.
  • Outsourcing data to third parties for processing etc. has been going on for years such as through the use of mainframes.  Cloud services are not a new concept, however the accessibility of these services to many people and the accessibility of the data in them has been a dramatic change.
  • Encrypting data if you own the process end to end can ensure data is securely stored.  Doesn’t really help with processing in the cloud.
  • Who reads the full terms and conditions of the services they use?  How much security and privacy are we inadvertently giving up?
  • We must not confuse Security and Privacy – these are different things.



The internet is a global platform, do you think it will become more balkanised?

  • It was set up by the military, and now they want it back 😉
  • It is already there on many layers – who makes the kit it runs on? Which governments have access to the data or any controls over the data flows?
  • Governments ignored the internet for years, now they all want some control over it, and government agencies all want to monitor and spy on the data on the internet.
    • There is a ‘war’ around who controls the internet occurring right now.
  • The internet and technology are changing very fast, nations / governments are struggling to keep up.



Cloud – is it new or isn’t it?

  • Yes and no.
    • Concept of sharing compute resource and allowing users or companies access to compute resource they couldn’t otherwise afford is not new.
    • Concept of data being anywhere / everywhere, and access to cloud compute and storage is new and the game changer that cloud is advertised to be.
      • Creates many issues
        • Where is your data?
        • Who controls your data?
        • What about international interception / access laws and capabilities?
    • Cost and scale benefits driving use in many businesses
      • How do you best secure this use case?
      • How do you ensure only the right ‘stuff’ gets into the cloud?
      • Do you have the right policies in place?
      • Do you have the right knowledge and skill sets for secure cloud use?
      • Vet staff and people in key positions both in your business and the cloud provider.
      • Encrypt your data – this is true, but I have serious issues around this one based on what sort of processing is required – can Tokenisation or Homomorphic encryption be leveraged?  What other ways do you have to mitigate the risk of data being unencrypted for processing?
    • Cloud is an innovator – gives businesses more opportunities, and also gives us new area to learn to secure.
    • Be proactive – be ready for the cloud, go to the business rather than them coming to you.


Cloud Security Alliance Congress Orlando 2012 pt3 – Day 1 closing keynote

Next Generation Information Security – Jason Witty

 Some statistics and facts to set the scene;

–          93.6% is the approximate percentage of digital currency in the global market!

–          6.4% cash and gold available as a proportion of banking and commerce funds..

–          45% US adults own a smartphone – 21% of phone users did mobile banking last year.

–          62% of all adults globally use social media

–          Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018

–          2015 predicted as the year when online banking will become the norm..

–          Nielson global trust in advertising report for 2012;

–          28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.

–          NSA were working on their own secure smartphone.  Plans scrapped and now they are working on how to effectively secure consumer smart phone devices.  Consumer mobile devices are everywhere!

Emerging innovations; cloud computing..

–          IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.

–          By 2016 SaaS will account for 60% of the public cloud

Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more.  So increased quality and profit result, but casts likely remain flat.

Trends in Cybercrime;

Insiders – can be difficult to detect, usually low tech relying on access privileges

Hacktivists – responsible for 58% of all data theft in 2011

Organised crime – Becoming frighteningly organised and business like

Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012.   Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.


Organised Crime – Malware as a Service

Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)

Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.

Nation states becoming increasingly active in the world of malware creation..


So, Next generation Information Security;

–          Must be intelligence driven

  • Customer
  • Shareholder
  • Employee
  • Regulatory
  • Business line
  • Cyber threat

–          Must be comprehensive

  • Anticipate – emerging threats and risks
  • Enable –
  • Safeguard

–          Must have excellent human capabilities

–          Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner.  8% actually are.  70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..

–          We cannot do this alone: Strong intelligence partnership management

Pending cybercrime legislation;

–          White house has stressed importance of new cyber security legislation.

–          Complex laws take time to review and pass; technology environments change fast.

–          Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.

–          Likely executive order in the near future with potentially large cybercrime implications.

While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.


Intelligence driven: the next phase in information security;

–          Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats

–          Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets

–          Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.

–          Establish automated analytics and establishing patterns of data movement in your organisation

I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012.  This can be downloaded from here;


NSA releases home network security best practices guide

The NSA has released an excellent guide titled ‘Best practices for keeping your home network secure’.  This covers the obvious things like

– securing your O/S (windows and Mac are covered) via patching and using current software etc.

– home network security via wireless encryption, strong passwords and DNS settings.

The guidance then goes further to cover areas including;

– Email best practices

– Social network site use

– Password management

– Travelling with mobile devices.

Overall while this is unlikely new information for those familiar with IT security, this is great guidance for those not working in this area.  I’d highly recommend you share this with your friends and family and help them understand the advice as it will improve their home and general on-line IT security / safety.